YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggests that AshleyMadison’s top leadership hacked into a competing dating service in 2012.

AshleyMadison CEO Noel Biderman. Source: Twitter.

Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Neither Bhatia nor Biderman could be immediately reached for comment. KrebsOnSecurity.com spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate, and that it looked like a number of fake data dumps the company had seen in the weeks prior. Hours later, the leak had been roundly confirmed as legitimate by countless users on Twitter who were able to find their personal data in the cache of account information posted online.

The leaked Biderman emails show that a few months before Bhatia infiltrated Nerve.com, AshleyMadison’s parent firm — Avid Life Media — was approached with an offer to partner with and/or invest in the property. Email messages show that Bhatia initially was interested enough to offer at least $20 million for the company along with a second property called flirts.com, but that AshleyMadison ultimately declined to pursue a deal.

More than six months after Bhatia came to Biderman with revelations of the nerve.com security vulnerabilities, Biderman was set to meet with several representatives of the company. “Should I tell them of their security hole?” Biderman wrote to Bhatia, who doesn’t appear to have responded to that question via email.

The cache of emails leaked from Biderman run from January 2012 to July 7, 2015 — less than two weeks before the attackers publicized their break-in on July 19. According to a press conference held by the Toronto Police today, AshleyMadison employees actually discovered the breach on the morning of July 12, 2015, when they came to work and powered on their computers only to find their screens commandeered with the initial message from the Impact Team — a diatribe accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.

“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison Director of Security Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].

As bad as this breach has been for AshleyMadison and its millions of users, it’s likely nowhere near over: Hackers who have been combing through the company’s leaked email records have just released a “selected dox” archive — a collection of documents, images and other data from Biderman’s inbox, including a 100-page movie script co-written by Biderman called “In Bed With Ashley Madison.” Also included in the archive are dozens of other sensitive documents, including a scan of the CEO’s drivers licence, copies of personal checks, bank account numbers, home address, and his income statements for the last four years.

Also, the Impact Team still have not released data from the other Avid Life Media property they claim to have hacked — Establishedmen.com, a “sugar daddy” site that claims to connect wealthy men with willing young women.

Earlier today, Toronto Police announced that Avid Life Media had offered a $500,000 reward for information leading to the arrest and prosecution of the hacker or hackers responsible for the breach. But many readers took to Twitter or to the comments section on this site to denounce the bounty as an overdue or cynical ploy, with some saying the company should have offered the reward weeks ago — before the Impact Team released the company’s entire user database and caused so much irreversible damage.

Leaving aside the proliferation of sites that now allow suspicious spouses to search for their significant other’s email address in the AshleyMadison data leak, some users are finding themselves on the receiving end of online extortion attacks. Worse still, Toronto Police told reporters this morning that they have two unconfirmed reports of suicides associated with the leak of AshleyMadison customer profiles.

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

A snippet of the message left behind by the Impact Team.

AM AND EM MUST SHUT DOWN IMMEDIATELY PERMANENTLYWe are the Impact Team.We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emailsShutting down AM and EM will cost you, but non-compliance will cost you more: We will release all customer records, profiles with all the customers' secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails. Avid Life Media will be liable for fraud and extreme harm to millions of users.Avid Life Media runs Ashley Madison, the internet's #1 cheating site, for people who are married or in a relationship to have an affair. ALM also runs Established Men, a prostitution/human trafficking website for rich men to pay for sex, as well as cougar life, a dating website for cougars, man crunch, a site for gay dating, swappernet for swingers, and the big and the beautiful, for overweight dating.Trevor, ALM's CTO once said "Protection of personal information: was his biggest "critical success factors" and "I would hate to see our systems hacked and/or the leak of personal information:Well Trevor, welcome to your worst fucking nightmare.We are the Impact Team. We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all.

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.

“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”

Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”

Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”

In the wake of the AdultFriendFinder breach, many wondered whether AshleyMadison would be next. As the Wall Street Journal noted in a May 2015 brief titled “Risky Business for AshleyMadison.com,” the company had voiced plans for an initial public offering in London later this year with the hope of raising as much as $200 million.

“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”

Update, 8:58 a.m. ET: ALM has released the following statement about this attack:

“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”

“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”

“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

More than 3.5 million people's sexual preferences, fetishes and secrets have been exposed after dating site Adult FriendFinder was hacked.

Already, some of the adult website's customers are being identified by name.

Adult FriendFinder asks customers to detail their interests and, based on those criteria, matches people for sexual encounters. The site, which boasts 64 million members, claims to have "helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners."

The information Adult FriendFinder collects is extremely personal in nature. When signing up for an account, customers must enter their gender, which gender they're interested in hooking up with and what kind of sexual situations they desire. Suggestions AdultFriendfinder provides for the "tell others about yourself" field include, "I like my partners to tell me what to do in the bedroom," "I tend to be kinky" and "I'm willing to try some light bondage or blindfolds."

The hack, which took place in March, was first uncovered by independent IT security consultant Bev Robb on her blog Teksecurity a month ago. But Robb did not name the site that was hacked. It wasn't until this week, when England's Channel 4 News reported on the hack, that Adult FriendFinder was named as the victim.

Included in the exposed personal information are customers' email addresses, usernames, passwords, birthdays and zip codes, in addition to their sexual preferences. No credit card data has yet been uncovered as part of the hack.

That data is incredibly revealing and potentially damaging.

Andrew Auernheimer, a controversial computer hacker who looked through the files, used Twitter to publicly identify Adult FriendFinder customers, including a Washington police academy commander, an FAA employee, a California state tax worker and a naval intelligence officer who supposedly tried to cheat on his wife.

Asked why he was doing this, Auernheimer said: "I went straight for government employees because they seem the easiest to shame."

Millions of others remain unnamed for now, but anyone can open the files -- which remain freely available online. That could allow anyone to extort Adult FriendFinder customers.

For instance, the security consultant Robb reported that one person whose information was hacked was a 62-year-old Hispanic male from New Jersey, who worked in advertising and has a preference for the "subporno" forum. That, combined with his username and other account details, gave Robb enough information to Google him, find his real name, and find his social media pages.

The information exposed can be particularly devastating to people living in small towns, where they are more easily identified. For example, one person exposed in the hack is a 40-year old welder from a small Illinois town of a few thousand people. He "will become anybody's slave" and lied about his age on the site, claiming to be 29.

The breach was carried out by a hacker who goes by the moniker ROR[RG]. In an online hacker forum, he said he blackmailed Adult FriendFinder, telling the site he would expose the data online unless the company paid him $100,000.

On the forum, hackers immediately praised ROR[RG], saying they were planning on using the data to attack the victims.

"i am loading these up in the mailer now / i will send you some dough from what it makes / thank you!!" wrote a hacker who goes by "MAPS."

FriendFinder Networks Inc., parent company of Adult FriendFinder and other adult sites and publications including Penthouse, said in a statement that it had just become aware of the breach, and it is working closely with law enforcement and cyberforensics company Mandiant, a FireEye (FEYE) subsidiary.

The company said it doesn't yet know the full scope of the breach, but it promised to "work vigilantly," noting that FriendFinder Networks "fully appreciates the seriousness of the issue."

"We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected," the company said.

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

Many news sites and blogs are reporting that the data stolen last month from 37 million users of AshleyMadison.com — a site that facilitates cheating and extramarital affairs — has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate.

Update, 11:52 p.m. ET: I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.

Original story:

A huge trove of data nearly 10 gigabytes in size was dumped onto the Deep Web and onto various Torrent file-sharing services over the past 48 hours. According to a story at Wired.com, included in the files are names, addresses and phone numbers apparently attached to AshleyMadison member profiles, along with credit card data and transaction information. Links to the files were preceded by a text file message titled “Time’s Up” (see screenshot below).

The message left by the latest group claiming to have leaked the hacked AshleyMadison.com database.

TIME'S UP!Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters.Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it.Any data not signed with key 6E50 3F39 BA6A D81D ECFF 2437 3CD5 74AB AA38 is fake.Impact Team's statement on the releaseImpact Team's PGP signature for the released statementImpact Team's PGP KeyTorrent for the released dataNote from Quantum Magazine/Q7765:We are not Impact Team, in case that wasn't clear.Please use this data responsibly.If you find our hosting of the release data useful, please consider looking at our text based magazine called Quantum.Thank you.- Quantum7765

From taking in much of the media coverage of this leak so far — for example, from the aforementioned Wired piece or from the story at security blogger Graham Cluley’s site — readers would most likely conclude that this latest collection of leaked data is legitimate. But after an interview this evening with Raja Bhatia — AshleyMadison’s original founding chief technology officer — I came away with a different perspective.

Bhatia said he is working with an international team of roughly a dozen investigators who are toiling seven days a week, 24-hours a day just to keep up with all of the fake data dumps claiming to be the stolen AshleyMadison database that was referenced by the original hackers on July 19. Bhatia said his team sees no signs that this latest dump is legitimate.

“On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release,” Bhatia said.

“On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release,” Bhatia said. “In total we’ve looked at over 100GB of data that’s been put out there. For example, I just now got a text message from our analysis team in Israel saying that the last dump they saw was 15 gigabytes. We’re still going through that, but for the most part it looks illegitimate and many of the files aren’t even readable.”

The former AshleyMadison CTO, who’s been consulting for the company ever since news of the hack broke last month, said many of the fake data dumps the company has examined to date include some or all of the files from the original July 19 release. But the rest of the information, he said, is always a mix of data taken from other hacked sources — not AshleyMadison.com.

“The overwhelming amount of data released in the last three weeks is fake data,” he said. “But we’re taking every release seriously and looking at each piece of data and trying to analyze the source and the veracity of the data.”

Bhatia said the format of the fake leaks has been changing constantly over the last few weeks.

“Originally, it was being posted through Imgur.com and Pastebin.com, and now we’re seeing files going out over torrents, the Dark Web, and TOR-based URLs,” he said.

To help locate new troves of data claiming to be the files stolen from AshleyMadison, the company’s forensics team has been using a tool that Netflix released last year called Scumblr, which scours high-profile sites for specific terms and data.

“For the most part, we can quickly verify that it’s not our data or it’s fake data, but we are taking each release seriously,” Bhatia said. “Scumbler helps accelerate the time it takes for us to detect new pieces of data that are being released. For the most part, we’re finding the majority of it is fake. There are some things that have data from the original release, but other than that, what we’re seeing is other generic files that have been introduced, fake SQL files.”

Bhatia said this most recent leak is especially amusing because it included actual credit card data, even though AshleyMadison.com has never stored credit card information.

“There’s definitely not credit card information, because we don’t store that,” Bhatia said. “We use transaction IDs, just like every other PCI compliant merchant processor. If there is full credit card data in a dump, it’s not from us, because we don’t even have that. When someone completes a payment, what happens is from our payment processor, we get a transaction ID back. That’s the only piece of information linking to a customer or consumer of ours. If someone is releasing credit card data, that’s not from us. We don’t have that in our databases or our own systems.”

A screen shot of the archive released recently that many believe is the leaked AshleyMadison database.

I should be clear that I have no idea whether this dump is in fact real; I’m only reporting what I have been able to observe so far. I have certainly seen many people I know on Twitter saying they’ve downloaded the files and found data from friends who’d acknowledged being members of the site.

Nearly every day since I first reported the exclusive story of the Ashley Madison hack on July 19, I’ve received desperate and sad emails from readers who were or are AshleyMadison users and who wanted to know if the data would ever be leaked, or if I could somehow locate their information in any documents leaked so far. Unfortunately, aside from what I’ve reported here and in my original story last month, I don’t have any special knowledge or insight into this attack.

My first report on this breach quoted AshleyMadison CEO Noel Biderman saying the company suspected the culprit was likely someone who at one time had legitimate access to the company’s internal networks. I’d already come to the same conclusion by that time, and I still believe that’s the case. So I asked Bhatia if the company and/or law enforcement in Canada or the United States had apprehended anyone in relation to this hack.

Bhatia declined to answer, instead referring me to the written statement posted on its site today, which noted that investigation is still ongoing and that the company is simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the statement reads. “We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster.”

Readers should understand that if this dump does turn out to be legit, that just finding someone’s name, email address and other data in the archives doesn’t mean that person was a real user. As the above-mentioned Graham Cluley points out, AshleyMadison never bothered to verify the email addresses given to it by its users.

“So, I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn’t have meant that Obama was a user of the site,” Cluley wrote. “Journalists and commentators would be wise to remember that the credentials stored by Ashley Madison must be considered suspect because of their shonky practices, even before you start considering whether any leaked databases are falsified or not.”

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

Toronto, ON August 18, 2015 – Last month we were made aware of an attack to our systems. We immediately launched a full investigation utilizing independent forensic experts and other security professionals to assist with determining the origin, nature, and scope of this attack. Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.

We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.

This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.

Every week sees new hacks disclosed by companies large and small, and though this may now be a new societal reality, it should not lessen our outrage. These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives. Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing.

We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest and conviction of these criminals, can contact information@avidlifemedia.com.

As I'm sure you'll remember, popular adultery website Ashley Madison got hacked in July. The hackers - who went by the name of the Impact Team - demanded that its owners, Avid Life Media, shut the site down and sister sites including Cougar Life and Established Men.

If their demands weren't met, the hackers threatened to release details of some 37 million Ashley Madison users.

And then?

Nothing. Well, Ashley Madison didn't shut down at least. Maybe some members tried to delete their accounts in panic (although that was rather like closing the door after the horse had bolted), and Avid Life Media generously decided to start offering account removals for free rather than charging $15.

So why are you writing about this again now?

Because people claiming to be the Impact Team have released what they say is the database of Ashley Madison users on torrent sites, available for anyone in the internet to download.

That sounds bad. Is it?

Chances are that many people who are members of the Ashley Madison website will feel uncomfortable with their boss, friends, partner or mother-in-law knowing about it. So they probably won't be happy if the leaked database is genuine.

It's easy to imagine that some people might be vulnerable to blackmail, if they don't want details of their membership or sexual proclivities to become public.

Others might find the thought that their membership of the site - even if they never met anyone in real life, and never had an affair - too much to bear, and there could be genuine casualties as a result.

And yes, I mean suicide.

But if they're in the Ashley Madison website, don't they deserve what's coming to them?

No.

For one thing, being a member of a dating site, even a somewhat seedy one like Ashley Madison, is no evidence that you have cheated on your partner.

You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh or even to find out if someone else was on the site... never seriously planning to take things any further.

But more importantly than all of that, if your email address is in the Ashley Madison database it means nothing. The owner of that email address may never have even visited the Ashley Madison site.

As Per Thorsheim explained in an article last month, Ashley Madison *never* bothered to verify the email addresses given to it by users.

So, I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn't have meant that Obama was a user of the site. (Apologies to Michelle for any concern I may have caused her by mentioning her husband's name in relation to this article - I'm sure he has more important things to do with his time than to join online dating sites, anyway)

Journalists and commentators would be wise to remember that the credentials stored by Ashley Madison must be considered suspect because of their shonky practices, even before you start considering whether any leaked databases are falsified or not.

The Ashley Madison hack - further thoughts on its aftermathby Per Thorsheim July 28, 2015

NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

This weekend, I warned of the serious danger of jumping to the wrong conclusions if the Ashley Madison user database ever becomes public, and how - because the site doesn't properly authenticate email addresses - any such data doesn't prove anything.

I was shocked when Graham told me that my article had been picked up by British newspaper Daily Mirror.

But there have been other developments...

A call from an Ashley Madison user

I woke up sunday morning, and received an SMS in Norwegian, shortly after breakfast. Here is my simple translation:

"Dear Per Thorsheim! Thank you for your post at grahamcluley.com. I am one of those affected by the things you wrote about, and I feel bad. We need more like you out there to adjust the perspective."

Since then, I have exchanged many messages with this gentleman, and we have even spoken on the phone.

I don't know his name, but he is in his fifties, has kids and is married. Not long ago, during a hard period in his life, he created an account on the Ashley Madison site.

He says he looked around, and engaged in a little "dirty chat" with some women.

But he never met anyone. He says some people drink or finds other ways to vent their frustrations in life. To him flirting on the Ashley Madison website became a short escape from reality.

He regretted his actions, he told his wife, he was forgiven and life and marriage goes on.

But now he is afraid of the leaked data eventually being released publicly, because his kids, neighbours, colleagues and others may not understand his situation at all.

Stories of suicide

I came across an American news website that published a fake story about a man committing suicide in the aftermath of the Ashley Madison security breach. They even quoted the alleged suicide note which claimed the man's death was a direct consequence of the hack.

Bogus news report of Ashley Madison-related suicide

[DELETE] of Chicago, IL, had been married for the past 11 years. He and his wife had two children, owned a home, and by all outward appearances were living the American dream. However, Donald was seeking intimate relationships with women other than his wife and was using the Ashley Madison site to do so.

In a suicide note recovered by police, [DELETE] expressed his regrets, and why he choose to take his own life. “I am sory[sic] for being unfaithful. I know that you will leave me now and take the kids. I know that I will be fired from my job at your fathers[sic] company and that my life as I know it is going to change drastically for the worse. So I’m just going too[sic] make it easy on you. You get everything. Goodbye.”

The corner’s report indicates that [DELETE] took a fatal dose of prescription medication. His death has been ruled a suicide, and authorities say they do not believe there was any foul play involved.

Why a website, purporting to contain legitimate news, would run a fake story about a man committing suicide after the Ashley Madison breach is beyond my understanding.

What I do know though, is that the press here in my home country of Norway are very careful around use of the word "suicide". There is a danger that if we talk about such personal tragedies in such detail in the press, that others may follow.

What the howling wolves doesn't seem to understand is what they are doing is online bullying. The kind of bullying that clearly can cause such personal tragedies.

"If they are cheating, they deserve it" the wolves reply.

While I totally disagree with that argument, let me add that their kids do not deserve to lose a parent. Their family doesn't deserve to lose a loved one. And that also applies to friends, colleagues, neighbors and others.

If you are found to have bullied somebody into suicide however... I believe you deserve jailtime for that.

Was Ashley Madison extorting money from users?

Many articles - including the one that The Intercept published - have mentioned that Ashley Madison demands money to have accounts deleted, and have described the practice as "extortion".

Full DeleteBe Discreet, remove all traces of your usage for only [Euros] 15.00DELETE YOUR PROFILEFull Delete Removal Includes:Removal of profile from search resultsRemoval of profile from the siteRemoval of messages sent and receivedRemoval of messages from recipient's mailboxes including Winks & GiftsRemoval of site usage history and personally identifiable information from the siteRemoval of photosNote: It may take up to 48 hours for some traces of your profile to be fully removed.

(I'm pleased to hear that Ashley Madison is now allowing users to delete their accounts for free).

I have my own experiences of what some may consider extortion.

For instance, once, at a nightclub in Berlin, I was given a small card at the entrance. The waiters would cut small marks into the card when I ordered beer and drinks, and when I left the club they counted the marks and gave me the bill.

What would happen if I lost the card? I would have to pay the maximum price before I was allowed to leave. I remember considering that as "a funny way to commit extortion".

Another time, I acquired a free SSL certificate from one of the many certificate authorities out there. Did I read the EULA for that? Of course not! Silly me...

Because if I had I would have seen that I ever wanted or needed to revoke the certificate because my site and certificate became compromised, I would have to pay money to have it revoked. I wonder if The Intercept would consider that extortion as well?

The definition of extortion as far as I can see says that it is a criminal offence. Yet the three examples given above are all still legal as far as I know.

So don't beat Ashley Madison up for asking for money to have accounts deleted - you may not approve of that business practice, but users should really have read the EULA when they created their accounts in the first place.

What Ashley Madison did wrong was to to make it way too easy for people to create fake accounts using other peoples names, pictures and email addresses.

Raise your hand if you always read the EULA before signing up for a service or product, and I'll gift-wrap and send you a stone, so that you can throw the first one.

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

The recent Ashley Madison hacking incident drove one Chicago, IL man to take his own life.

Ashley Madison is a dating website which specializes in infidelity. As per the site’s FAQ, “… If you still feel that you will seek a person other than your partner to fill your unmet needs, then we truly believe that our service is the best place to start.”

But perhaps Ashley Madison is not the best place to start, as they recently announced their database had been hacked, and the personal information of millions of users stolen. The hackers, calling themselves ‘Impact Team’, released a manifesto where they call the site’s customers “scum bags”, and state their plans to continue releasing the personal information until ashleymadison.com is removed from the web.

Surprising to no one, the hacker’s actions are having serious -- and in one case, fatal -- consequences.

Donald Bradshaw of Chicago, IL, had been married for the past 11 years. He and his wife had two children, owned a home, and by all outward appearances were living the American dream. However, Donald was seeking intimate relationships with women other than his wife and was using the Ashley Madison site to do so.

In a suicide note recovered by police, Donald expressed his regrets, and why he choose to take his own life. “I am sory[sic] for being unfaithful. I know that you will leave me now and take the kids. I know that I will be fired from my job at your fathers[sic] company and that my life as I know it is going to change drastically for the worse. So I’m just going too[sic] make it easy on you. You get everything. Goodbye.”

The corner’s report indicates that Donald took a fatal dose of prescription medication. His death has been ruled a suicide, and authorities say they do not believe there was any foul play involved.

It’s unknown if or how Ashley Madison executives will respond, and all press inquiries from United Media Publishing have been ignored.

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

After several false starts with dumps of corrupted and therefore inaccessible Ashley Madison CEO email files by hackers Impact Team TISI +%, a new file was dumped early this morning. This dump was confirmed by numerous sources, including Brian Krebs, who indicated that it looked “like the third . . dump is a corrected version of AshMad CEO’s inbox, to fix the last dump that was corrupted.”

TrustedSec also confirmed this morning that Impact Team had released a new dump “apparently fixing the zip file issue from the CEO’s emails from the 2nd dump release.” Further according to TrustedSec, the extracted size of the file is about 30G that “on first pass shows that it is a Gmail archive file, ranging from July 7, 2015 back to Jan 10, 2012.” The file “appears to contain approximately 200k total emails from 6800 unique senders to 3600 unique recipients.” TrustedSec indicated that it will not be doing any further analysis.

(Photo by Carl Court/Getty Images)

Per Thorsheim, CEO and Security Adviser, God Praksis AS confirmed to me independently by email that there were 200,000 or more emails, with 93.2% percent downloaded. Thorsheim does not have the files and is reporting based on examination of external file directory.

Thorsheim stated that the attack on Ashley Madison/Avid Life Media is “terrifying because of the ferocity of the attack, the timing of data release to extend the ‘media life’ of the story. . .and the disrespect for Ashley Madison users, their family, friends and other innocent people being affected.”

“The combination of massive sensitive personal information, amount of users affected and ferocity and stamina of the attackers sends a strong signal to any business worldwide to brace themselves for the future,“ Thorsheim added.

As indicated in my previous report on the latest dumps, the potential stakes in this dump may be higher than in the dumps of user data.

There is sensitive intellectual property in these files including source code and now, accessible emails that most likely contain trade secrets, including business discussions, possibly about the planned IPO and other sensitive information.

“JOSH DUGGAR CHEATED WITH ME!”: WOMAN TELLS ALL ABOUT THEIR TWO SEXUAL ENCOUNTERSby In Touch WeeklyAugust 26, 2015

NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

In a bombshell world-exclusive interview with In Touch magazine, stripper and porn star Danica Dillon, 28, reveals she had sex not once, but on two separate occasions, with Josh Duggar, both occurring when his wife, Anna, was pregnant with their fourth child!

Danica — who passed a polygraph test conducted for In Touch by a top certified polygrapher on Aug. 24 — details her two sexual encounters with Josh in the new issue of +In Touch+, on newsstands now. The first occurred after Josh approached her at the Gold Club in Philadelphia, where she was performing, in mid-March and the second only a month later when Danica was performing at Creekside Cabaret in Colmar, Pa.

“He walked into the Gold Club like a normal patron and said he’d been a fan for a long time and has watched my career grow — he even said from before my boob job until recently — and that he loved watching my very first scene on [an adult website],” she tells In Touch. “Then it got creepy.”

After watching her show and "eyeballing me," Danica says he bought $600 in private dances and then “asked me how would he be able to spend the evening with me.” She reveals to In Touch that Josh was violent with her when they had sex, he did not use protection and gave her thousands of dollars after their encounters.

Danica admits she “took the opportunity because Josh offered to gift [her] $1,500.” But soon after Josh arrived at her hotel room, things got rough.

“He was manhandling me, basically tossing me around like I was a rag doll,” Danica, whose real name is Ashley Lewis, and although the sex was consensual, “It was very traumatic. I’ve had rough sex before, but this was terrifying.”

Josh, identified as one of the cheating spouses in the Ashley Madison hack, confirmed in a statement that he was unfaithful and had a pornography addiction: "I have been the biggest hypocrite ever. While espousing faith and family values, I have secretly over the last several years been viewing pornography on the Internet and this became a secret addiction and I became unfaithful to my wife."

“I think that after I come out, there will probably be plenty more girls after me," Danica tells In Touch. “I actually really hope that his wife leaves him and takes his children away from him and leaves him a lonely, bitter man. I don’t think he deserves happiness.”

Read Danica’s full story about both of her sexual encounters with Josh Duggar only in the new issue of In Touch magazine, on newsstands now!